Information Security Policy

Version Date Author Change

0.1 28 Aug 2020 Nathan Jackson Draft Policy
0.2 - 0.3 03 Sep 2020 Shayne Green Final Version for Approval
0.4 23 Oct 2020 Nathan Jackson Final Version for Approval
0.5 22 Mar 2021 Craig Somers Reviewed & Approved for Distribution
21 Mar 2022 Next Review Date

• Introduction
• Information Security is everyone’s responsibility
o Purpose:
o Scope:
• CloudFactory’s Information Security Principles
o Secure by Design
o Risk Based Approach to Security
o Defence in Depth
o Personnel Security
o Supply Chain Security
o Keep it Simple
o Accountability
o Operational Security
o Secure the Weakest Link

Introduction
CloudFactory is committed to properly protecting the information that it holds. Information
Security is the responsibility of every CloudFactory Core Worker and Cloud Worker. Everyone
MUST read, understand, implement and adhere to this policy and related standards, procedures
and processes.

The data and information stored and used in CloudFactory, both hard copy and electronic, are
one of CloudFactory’s most valuable assets. It is therefore essential that all information and data
that we handle is protected against the many threats that may impact workers, customer privacy
and overall service provision. These threats can range from accidental damage to the deliberate
disclosure of sensitive information.

The management of information and data currently uses many technical processes and
procedures to assist in preserving the confidentiality, integrity and availability of the information
and data held. However, these security measures can be weakened through careless actions such
as writing down or sharing a password.

Document Ref: U9FPB-EAIGK-EPQ3W-VBUKE Page 1 of 4

 The purpose of this Policy is threefold:

• It sets out CloudFactory’s high level policy in relation to Information Security and
Assurance
• It lists the specific actions which CloudFactory is taking in order to meet each of the
specific policy objectives
• It sets out the guidance and procedures that apply for the secure operation of
CloudFactory’s applications and platform.

When taken together, these three points set out the standards which will be used to assure
workers and customers of the commitment to the security of CloudFactory’s information and
processing work streams.

Information Security is everyone’s responsibility

Information is an important and valuable business asset to CloudFactory. It underpins everything
we do on behalf of our customers in the processing of their information as work streams using
our own purpose-built agile engineering platform. Information security is the protection of
information assets and the management of risks to those assets.

CloudFactory’s Information Management principles state that we will “Be Secure”, specifically
that we will strive to be leaders in the security of our information, not only compliant but
proactively protecting ourselves from potential threats. We will achieve this by implementing
this policy and adhering to our Information Security Principles.

Purpose:

This Information Security Policy outlines our information security principles, goals and
objectives to ensure the confidentiality, integrity and availability of CloudFactory’s information
assets, thus protecting these assets from all threats whether internal, external, accidental or
deliberate. This policy will also provide direction and guidance to ensure the protection of
CloudFactory’s information assets by anyone handling our information.

Scope:

This policy is relevant to all of the CloudFactory’s information assets, including all
classifications (public, internal, private) and will apply to the storage, communication,
transmission, usage and destruction of these information assets. This policy applies to all
workers, contractors and third parties who access, develop, maintain, acquire or use any form of
CloudFactory’s information systems and/or information assets.

CloudFactory’s Information Security Principles

CloudFactory will implement the following Information Security principles to build a secure
information environment.

Document Ref: U9FPB-EAIGK-EPQ3W-VBUKE Page 2 of 4

 Secure by Design

• Controls for the protection of confidentiality, integrity, and availability should be

designed into all aspects of solutions from initiation.
• Information security should also be designed into the business processes within which an
IT system will be used, and cover the full life-cycle from creation to destruction of assets.

Risk Based Approach to Security

• Our approach to information security will be proportionate to and based on the risk
tolerance associated with our information assets and information systems.

Defence in Depth

• We will create and maintain multiple layers of security.

Personnel Security

• All personnel whether CloudFactory workers or third party suppliers are required to
achieve and maintain the appropriate level of security awareness and training for the role
and for the access that they require to carry out that role.

Supply Chain Security

• All third-party providers and any of their sub contracted suppliers, in relation to the
service provided, must conform to all necessary security standards.

Keep it Simple

• A simple design is easier to assure, communicate, test and validate.

• Simplicity breaks down barriers to adoption and information security controls should
enable CloudFactory to securely work and handle information assets in innovative ways.

Accountability

• It must be possible to hold users accountable for use of systems and access to information
assets.
• CloudFactory will monitor, record and periodically review logs to protect against threats
and unauthorised use of information systems and assets.

Operational Security

• Systems and services must be operated securely using processes and procedures that
ensure the operational security of all CloudFactory information systems.

Document Ref: U9FPB-EAIGK-EPQ3W-VBUKE Page 3 of 4

 • Information security should be continuously reassessed as technology, users, information
and security threats evolve.

Secure the Weakest Link

• When designing security controls, we must consider the weakest part of the system and
ensure that is as secure as it needs to be.
• Systems must be maintained with up to date patching and security configurations. The
weakest link may change over time.

Version Date Comment

Current Version (v. 6) Mar 22, 2021 08:31 Nathan Jackson
v. 5 Mar 22, 2021 08:29 Nathan Jackson
v. 4 Oct 23, 2020 11:44 Nathan Jackson
v. 3 Oct 23, 2020 11:36 Nathan Jackson
v. 2 Sep 03, 2020 14:11 Nathan Jackson
v. 1 Aug 28, 2020 07:06 Nathan Jackson

Please write your full name to acknowledge receipt of the Information Security Policy of
CloudFactory. By signing it, you acknowledge that you have read the Information Security
Policy, understand its content and agree to comply with it

Name Sakar Shrestha

Date: 2024-02-21

Document Ref: U9FPB-EAIGK-EPQ3W-VBUKE Page 4 of 4

Signature Certificate
Reference number: U9FPB-EAIGK-EPQ3W-VBUKE

Signer Timestamp Signature

Sakar Shrestha
Email: sakar.shrestha03@es.cloudfactory.com

Sent: 21 Feb 2024 10:58:35 UTC

Viewed: 21 Feb 2024 10:58:39 UTC
Signed: 21 Feb 2024 10:59:56 UTC

Recipient Verification: IP address: 27.34.76.229

✔Email verified 21 Feb 2024 10:58:39 UTC Location: Kathmandu, Nepal

Document completed by all parties on:

21 Feb 2024 10:59:56 UTC

Page 1 of 1

Signed with PandaDoc

PandaDoc is a document workflow and certified eSignature

solution trusted by 50,000+ companies worldwide.